Are you GDPR-ready?
Posted by: INSZoom | Date: May 8, 2018
GDPR goes into effect on May 25. “Are you prepared? Are you GDPR-compliant? Are you ready?”
When the European Union announced its intention to expand regulations of its existing data privacy laws over 2 years ago, U.S. businesses focused on what would be their burden of compliance and how it would impact their level of liability. At the time, the GDPR (General Data Protection Regulation) was an unprecedented enforcement expansion by a major global economy government on businesses outside their borders. Experts and consultants pored through the several hundred pages of regulations and articles and came to a core consensus that any entity that handles the personal data of EU nationals and individuals would be impacted even if they’re physically and legally outside the EU. At the beginning, the focus was mostly on how the EU authorities would view GDPR and data privacy compliance.
Flash forward to now and the questions U.S. businesses are now asking themselves are not just what the EU authority expects but their customers. Equifax and Facebook’s recent missteps in handling personal data have made average users painfully aware of how vulnerable their personal information is to misuse and exploitation.
Whether GDPR directly and legally applies to your specific business or legal practice may come down to the finer details of the GDRP regulations. How large is the personal data you’re handling? What type of personal data and how private is it? And to what purpose is the personal data used?
If you’re an INSZoom customer, it’s likely you’re using your client’s personal data towards a mutual agreed purpose related to immigration, global mobility or travel. These types of data transactions don’t seem to be of critical concern for the EU authority and their GDPR because of the specifics, narrowness in scope, transparency and consent of use regarding the data transaction. Though the collected personal information is private, sensitive and non-public (e.g. racial or ethnic origins, financial, legal, etc.), it is not used towards the behavior monitoring or massive data analytics which have been the subject of such public scrutiny, criticism and lawsuits.
Given the current state of privacy awareness we enter, it should not come as a surprise that many of our customers are using the May 25th deadline not only as a GDPR compliance date but also as a blanket data privacy readiness for all its users instead of just EU users. It would not be the first time that a new regulation has impact outside its original objective. It’s probable that we are entering a new normal and level of expectation baseline in what is required for data security and privacy.
Regardless of the size of your GDPR footprint, INSZoom is well positioned to provide the technology, structure and support needed. We’ve been following ‘Privacy By Design’ practice since the beginning in 1999. INSZoom possesses ISO/IEC 27001 certification and all data collected is formatted in a 256 bit Encrypted SQL Database. Technology experts have found that data security best practice under the ISO 27001 framework meets much of what GDPR requires under its article including “technology and security measures” such as:
- ISO 27001 mandates the listing of all relevant statutory, legislative, contractual, and regulatory requirements.
- Risk assessment requirements of the ISO 27001 mandates the implementation of a Data Protection Impact Assessment and undertaking an evaluation of privacy risks.
- Asset management requisites of the ISO 27001 include personal data as a valuable information security asset which must define which personal data are involved in your operations, its origins, where to store it, for how long, and who will have access to these including any applicable supplier and storage relationships.
- ISO 27001 dictates systems acquisitions, development, and maintenance, which requires data security as an integral component of information systems throughout its lifecycle.
- Breach notification strictures under the ISO 27001 entail an efficient and consistent method to deal with data security to notify authorities within 72 hours after the discovery of a personal data breach.
- ISO 27001 uses risk assessments to identify the necessary controls regarding risk management, data protection impact assessments, and mitigation to the risks regarding rights and freedoms of data subjects.
In addition, INSZoom application has committed itself to respecting and promoting the data rights the GDPR has outlined for all our customers by affirming the following:
- No controller or data subject personal data is subject to cross border data flows outside the U.S. especially in the EU. All data is stored at our hosted servers with Amazon Web Services in North America (U.S. for our U.S. clients and Canada for Canadian clients) which has military level security.
- No controller or data subject personal data is shared with any unauthorized third party including contractors or outside entities such as credit, consumer or marketing entities.
- INSZoom will process our customer’s data for the sole purpose of providing the services according to their instructions and hosting and service agreements
- INSZoom will implement and maintain technical and organizational measures to ensure a level of security appropriate to the risk as set out by the GDPR and related regulations
- INSZoom will inform our customers without undue delay of requests from their Data Subjects exercising their Data Subject rights addressed directly to INSZoom regarding our customer’s personal data
- INSZoom will maintain and commit themselves to our customer’s confidentiality and not process such personal data for any other purposes, except on instructions or unless required by applicable law.
- INSZoom will make every good faith effort to assist and cooperate with our customer’s reasonable requests for GDPR related assistance regarding Information, Audit, Return/Deletion, Processing, Assistance and Records requests.
We’re proud to declare that all our subscription plans meet the GDPR readiness outlined above in addition to the tools and features below which provide additional support to meet your customer’s GDPR expectations:
- E-Consent Module allows you to capture and store a clear and authorized consent from the user to use their data towards the agreed immigration or mobility action.
- Adhoc Reports to track your data user population based on what information and audits you need to collect and maintain
- HR and Global Vendor Portals to better work with your business partners who directly oversee their employees – the impacted data users
- FN Portals to allow the data user to exercise their ability to handle their own data per their needs for GDPR and beyond
- Multifactor Authentication for additional security and technology measures
- Knowledge Base. Alerts and Compliance Management for custom configurations to better organize and maintain your client data users
INSZoom as a SaaS solution has always stayed ahead and adapted to industry changes. We are committed to provide the best solutions by listening to our customers, innovating and adapting to the ever-changing immigration industry.